Posh Security

View Original

Using the OpenSSH client included in Windows 10 (1809) as your Git’s SSH client

Microsoft has included an OpenSSH client with Windows 10 since the Fall Creators Release (1709). This client has been installed by default since the April 2018 Update (1803). The biggest benefit for the average user is that they can now use a supported OpenSSH client, without downloading and installing any other software.

I was setting up my new Surface Pro 6 and wanted to ensure that I was using the built in SSH client and particularly, the SSH Agent. If you are not familiar with the SSH Agent, it caches your private key, so you are not prompted to enter your password for your private key every single time you use it.

I spent some time getting everything to work and wanted to help anyone else who might be having issues.

Side: Why not just use the Credential Provider?

This is a good question! For most users, I recommend that they use the built-in Git Credential Provider. Personally, I prefer using SSH as it is the tool that I am more familiar and comfortable with it. It is just a personal preference.

Step 1 – Install Git

Download Git and install it as you normally would.

Step 2 – Ensure OpenSSH client for Windows is installed

Hit Start > Type “Optional Feature” > go to the Setting App. Check the “OpenSSH Client” is in the list of installed optional features, otherwise install it using the “Add a Feature” button.

Step 3 – Put your private SSH keys in the right directory, and specify the correct permissions

Get your existing private key (or generate a new SSH keypair) and place the private key into the .ssh folder in your user profile. By default, you can/should call the private key id_rsa and the public key should be id_rsa.pub.

The SSH key agent will check the permissions of your private key to ensure it is correctly secured. By default, it isn’t, so we will need to update the security permissions on this file by:

  1. Removing inheritance (select copy when prompted).
  2. Remove all users and groups except for SYSTEM and your user account.

Step 4 – Update your global Git configuration to use the OpenSSH for Windows

Next, we need to tell Git you use the OpenSSH client provided by Windows and not the one bundled with it. There are two ways you can do this, using the git config command, or directly editing the global configuration file directly.

Via the Git config command:

git config --global core.sshcommand "C:/Windows/System32/OpenSSH/ssh.exe"

Via the Git global configuration file:

[core]
    sshcommand = C:/Windows/System32/OpenSSH/ssh.exe

Step 5 – Change the start-up properties of the SSH Agent Service.

We will need to change the settings for the SSH Agent’s Windows Service. Using your favourite tool (PowerShell or Services.msc), change the start-up type of the service “OpenSSH Authentication Agent” from Disabled to Manual.

Optional – Start the SSH Agent when PowerShell loads

For the most seamless experience, we should automatically start the SSH Agent just prior to our first need of it.

To do this, I have added the following to my PowerShell profiles:

$sshAgentStopped = 'Stopped' -eq (Get-Service -Name 'ssh-agent' -ErrorAction SilentlyContinue).status
Write-Verbose -Message ('SSH Agent Status is stopped: {0}' -f $sshAgentStopped)

if ($sshAgentStopped) {
    Write-Verbose -Message 'Stating SSh Agent'
    Start-Service -Name 'ssh-agent'
}

If you don’t perform this step, you will need to manually start the agent, or will need to enter the password for your SSH private key every time you wish to use it.